Current Major Release:
OTOBO 10.1 is stable since 03.03.2022
Read the Release Notes with all the details on OTOBO 10.1 stable
Current versions:
OTOBO 10.0.18 & OTOBO 10.1.7
Find download links to the most recent OTOBO installer packages for the various LINUX distributions and the Docker Image here:
From version 10.0.7 on, we recommend installing via Docker.
Docker® Image
OTOBO 10
OTOBO 10.1
GitHub
Manuals
Release News
Read more about the current release in the Release Notes and in our forum.
Security Advisories
Security Advisory 2022-04
Fixed a vulnerability anabling attackers to inject SQL code in the webservice operation TicketSearch.
Criticality: Medium (5.6).
Patched in OTOBO 10.0.17 und 10.1.6
Security Advisory 2022-03
Fixed vulnerabilities in the Admin module which facilitated attackers with OTOBO Admin to gain extended permissions.
Criticality: Medium (5.6)
Patched in OTOBO 10.1.5
Security Advisory 2022-02
Fixed XSS vulnerability in package manager GUI (CVE-2022-0475).
Criticality: Medium (5.6)
Patched in OTOBO 10.0.16 and 10.1.3
Security Advisory 2022-01
OTOBO admins or attackers impersonating an OTOBO admin could use certain OTOBO features to obtain permissions on the server.
Criticality: High
Patched in OTOBO 10.0.16 and 10.1.3
Information on Log4J Zero Day Exploit
OTOBO is generally not susceptible to the Log4J Zero Day Exploit.
Details and reservations. In OTOBO 10.0.14 an update to the latest Elasticsearch version 7.16.1 is included out of an abundance of caution.
OTOBO 10.0.15 / OTOBO 10.1 provide an update to Elasticsearch 7.16.2 and log4j 2.17.0.
Security Advisory 2021-13
Possible js injection in dynamic field error messages. The OTOBO admin had the possibility to inject js code into dynamic field error messages.
Criticality: Low.
Patched in OTOBO 10.0.13.
Security Advisory 2021-12
Open Redirect in external URL jump.
If activated, ExternalURLJump provided an open redirect, which could be used in phishing attacks to mask a link to a malicious website to an unsuspecting person.
Criticality: Medium.
Patched in OTOBO 10.0.13.
Security Advisory 2021-11
Authenticated customer users see company tickets in the Elasticsearch quick search even though DisableCustomerCompanyTickets is activated if they have the same CustomerID.
Criticality: Low.
Patched in OTOBO 10.0.12.
Security Advisory 2021-10
Packages from the Docker base image are outdated and contain known vulnerabilities. This Security Advisory only affects Docker systems.
Criticality: Medium.
Patched in OTOBO 10.0.12.
Security Advisory 2021-09
Authenticated agents were able to list appointments from calenders they were not entitled to access (CVE-2021-36091).
Thanks for this hint to Centuran Consulting.
Criticality: Low.
Patched in OTOBO 10.0.12.
Security Advisory 2021-08
Authenticated agents were able to list customer emails from tickets they were not entitled to access (CVE-2021-21443).
Thanks for this hint to Centuran Consulting.
Criticality: Low.
Patched in OTOBO 10.0.12.
Security Advisory 2021-07
Generated support bundles may contain private S/MIME and PGP keys, if the folder they are saved in has not been not actively hidden (CVE-2021-21440). Thanks for the hint to Julian Droste.
Criticality: Medium (5.2).
Patched in OTOBO 10.0.12.
Security Advisory 2021-06
There was an XSS vulnerability in the Time Accounting Module.
The vulnerability was reported by an anonymous developer (CVE-2021-21442)
Criticality: Medium.
Patched in OTOBO Time Accounting 10.0.2
Security Advisory 2021-05
A vulnerability made it possible for an attacker to use JavaSript injection via a manipulated link or CSRF to create tickets on behalf of a CustomerUser interacting with the manipulated resource, or change their preferences (except the password).
Thanks to hypnguyen1209 for sharing the issue.
Criticality: Low.
Patched in OTOBO 10.0.11.
Security Advisory 2021-04
Attackers were able to tap data in the ticket overview by way of an XSS attack using a manipulated email. Thanks to the Znuny team for sharing the issue and providing the fix (ZSA-2021-06; Criticality: high).
A security issue in JQuery-Validate enabled ReDoS attacks (CVE-2021-21252; criticality: low).
Criticality: High
Patched in OTOBO 10.0.10.
Security Advisory 2021-03
In psgi-based docker installations, OTOBO admins could access sensitive data. This vulnerability ONLY affects systems, where psgi was exclicitly chosen during installation. Standard installations implemented as described in the documentation are NOT affected.
Patched in OTOBO 10.0.9.
Security Advisory 2021-02
Survey Modul: Administratoren können Umfragen so gestalten, dass im Agentenbereich Schadcode ausgeführt wird (durch einen anderen Agenten, der Änderungen an der Umfrage vornehmen möchte). Read more
Risk Level: 3.5 LOW.
Patched in OTOBO Survey Module 10.0.3.
Security Advisory 2021-01
Several vulnerabilities in CKEditor. Read more
Criticality: Medium (5.5)
Patched in OTOBO 10.0.8
Security Advisory 2020-01
OTOBO uses jquery version 3.4.1, which is vulnerable to cross-site scripting (XSS). Read more.
Risk Level: 6.3 / 6.5 MEDIUM.
Patched in OTOBO 10.0.5.
Additional features and packages can be found at https://ftp.otobo.org/pub/otobo/packages/ and in the OTOBO Package Administration.
Thank you for your contributions to OTOBO!
Please visit the OTOBO Forum for support, current information, and feedback regarding OTOBO.
Stay up-to-date with OTOBO News.
We'll keep you posted with information from Rother OSS and the latest news on OTOBO - about once a month.
Queries?
Just get in touch!
We look forward to hearing from you.

Rother OSS
Business Services
from the makers of OTOBO
From People for People.
With a smiling face.
Contact
T DE +49 9427 – 68 39 000
T CH +41 71 – 552 08 80
hallo@otobo.de